Skip to content

Commit

Permalink
Update SO names; sync with debian.Dockerfile
Browse files Browse the repository at this point in the history
  • Loading branch information
@reachfh
reachfh committed Jun 26, 2024
1 parent 8e16ae2 commit e28aebd
Showing 1 changed file with 58 additions and 35 deletions.
93 changes: 58 additions & 35 deletions deploy/distroless.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ ARG BASE_OS=debian
# Specify versions of Erlang, Elixir, and base OS.
# Choose a combination supported by https://hub.docker.com/r/hexpm/elixir/tags

ARG ELIXIR_VER=1.16.2
ARG OTP_VER=26.2.5
ARG ELIXIR_VER=1.17.1
ARG OTP_VER=27.0

# https://docker.debian.net/
# https://hub.docker.com/_/debian
ARG BUILD_OS_VER=bullseye-20230612-slim
ARG PROD_OS_VER=bullseye-20230612-slim
ARG BUILD_OS_VER=bookworm-20240612
ARG PROD_OS_VER=bookworm-slim

# Specify snapshot explicitly to get repeatable builds, see https://snapshot.debian.org/
# The tag without a snapshot (e.g., bullseye-slim) includes the latest snapshot.
Expand Down Expand Up @@ -68,7 +68,8 @@ ARG APP_GROUP=$APP_USER
ARG APP_USER_ID=65532
ARG APP_GROUP_ID=$APP_USER_ID

ARG LANG=C.UTF-8
# ARG LANG=C.UTF-8
ARG LANG=C.utf8
# ARG LANG=en_US.UTF-8

# Elixir release env to build
Expand Down Expand Up @@ -152,6 +153,8 @@ FROM ${BUILD_BASE_IMAGE_NAME}:${BUILD_BASE_IMAGE_TAG} AS build-os-deps
openssh-client \
# Support ssl in container, as opposed to load balancer
openssl \
wget \
zip \
# Install default nodejs
# nodejs \
# Install default Postgres
Expand All @@ -160,7 +163,7 @@ FROM ${BUILD_BASE_IMAGE_NAME}:${BUILD_BASE_IMAGE_TAG} AS build-os-deps
# $RUNTIME_PACKAGES \
&& \
locale-gen && \
mkdir -p /etc/apt/keyrings && \
mkdir -p -m 755 /etc/apt/keyrings && \
# Install nodejs from nodesource.com
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
Expand All @@ -176,15 +179,21 @@ FROM ${BUILD_BASE_IMAGE_NAME}:${BUILD_BASE_IMAGE_TAG} AS build-os-deps
curl -sL --ciphers ECDHE-RSA-AES128-GCM-SHA256 https://dl.yarnpkg.com/debian/pubkey.gpg -o /etc/apt/trusted.gpg.d/yarn.asc && \
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
printf "Package: *\nPin: release o=dl.yarnpkg.com\nPin-Priority: 500\n" | tee /etc/apt/preferences.d/yarn.pref && \
# Install GitHub CLI
# wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg && \
# chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && \
# echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list && \
# Install Trivy
# curl -sL https://aquasecurity.github.io/trivy-repo/deb/public.key -o /etc/apt/trusted.gpg.d/trivy.asc && \
# printf "deb https://aquasecurity.github.io/trivy-repo/deb %s main" "$(lsb_release -sc)" | tee -a /etc/apt/sources.list.d/trivy.list && \
apt-get update -qq && \
DEBIAN_FRONTEND=noninteractive \
apt-get -y install -y -qq --no-install-recommends \
# gh \
nodejs \
# trivy \
yarn \
# yarnpkg \
&& \
# Install latest Postgres from postgres.org repo
# curl -sL https://www.postgresql.org/media/keys/ACCC4CF8.asc -o /etc/apt/trusted.gpg.d/postgresql-ACCC4CF8.asc && \
Expand Down Expand Up @@ -250,8 +259,8 @@ FROM build-os-deps AS build-deps-get

# Copy only the minimum files needed for deps, improving caching
COPY --link config ./config
COPY --link mix.exs .
COPY --link mix.lock .
COPY --link mix.exs ./
COPY --link mix.lock ./

# COPY --link .env.default ./

Expand Down Expand Up @@ -339,7 +348,7 @@ FROM build-deps-get AS prod-release

WORKDIR $APP_DIR

COPY --link .env.pro[d] .
COPY --link .env.pro[d] ./

# Compile deps separately from application for better caching.
# Doing "mix 'do' compile, assets.deploy" in a single stage is worse
Expand All @@ -353,39 +362,30 @@ FROM build-deps-get AS prod-release

RUN mix esbuild.install --if-missing

# Install JavaScript deps using yarn
RUN mkdir -p ./assets

# Install JavaScript deps
COPY --link assets/package.jso[n] assets/package.json
COPY --link assets/package-lock.jso[n] assets/package-lock.json
COPY --link assets/yarn.loc[k] assets/yarn.lock
COPY --link assets/brunch-config.j[s] assets/brunch-config.js

WORKDIR ${APP_DIR}/assets

RUN --mount=type=cache,target=~/.npm,sharing=locked \
set -exu && \
corepack enable && \
# yarn --cwd ./assets install --prod
yarn install --prod
# npm install
# npm --prefer-offline --no-audit --progress=false --loglevel=error ci
# node node_modules/brunch/bin/brunch build

RUN set -exu && \
mkdir -p ./assets && \
yarn --cwd ./assets install --prod
# cd assets && yarn install --prod

# Install JavaScript deps using npm
# WORKDIR "${APP_DIR}/assets"
# COPY --link assets/package.jso[n] ./
# COPY --link assets/package-lock.jso[n] ./
# RUN npm install

# Compile assets the old way
# WORKDIR "${APP_DIR}/assets"
#
# COPY --link assets/package.json ./
# COPY --link assets/package-lock.json ./
#
# RUN --mount=type=cache,target=~/.npm,sharing=locked \
# npm --prefer-offline --no-audit --progress=false --loglevel=error ci
#
# COPY --link assets ./
#
# RUN --mount=type=cache,target=~/.npm,sharing=locked \
# npm run deploy
#
# Generate assets the really old way
# RUN --mount=type=cache,target=~/.npm,sharing=locked \
# npm install && \
# node node_modules/webpack/bin/webpack.js --mode production

WORKDIR $APP_DIR
Expand Down Expand Up @@ -417,9 +417,22 @@ FROM build-deps-get AS prod-release
# Build release
COPY --link rel ./rel

# Generate systemd and deploy scripts
# RUN mix do systemd.init, systemd.generate, deploy.init, deploy.generate

RUN mix release "$RELEASE"

# Create revision for CodeDeploy
# WORKDIR /revision
# COPY appspec.yml ./
# RUN set -exu && \
# mkdir -p etc bin systemd && \
# cp /app/bin/* ./bin/ && \
# cp /app/_build/${MIX_ENV}/systemd/lib/systemd/system/* ./systemd/ && \
# cp /app/_build/${MIX_ENV}/${RELEASE}-*.tar.gz "./${RELEASE}.tar.gz" && \
# zip -r /revision.zip . && \
# rm -rf /revision/*

# Create staging image for files which are copied into final prod image
FROM ${INSTALL_BASE_IMAGE_NAME}:${INSTALL_BASE_IMAGE_TAG} AS prod-install
ARG LANG
Expand Down Expand Up @@ -506,6 +519,7 @@ FROM ${INSTALL_BASE_IMAGE_NAME}:${INSTALL_BASE_IMAGE_TAG} AS prod-install
truncate -s 0 /var/log/apt/* && \
truncate -s 0 /var/log/dpkg.log

RUN cat /etc/locale.gen
RUN ls -l "/lib/"
RUN ls -l "/lib/$(uname -m)-linux-gnu/"
RUN ls -l "/usr/lib/"
Expand All @@ -529,10 +543,15 @@ FROM ${PROD_BASE_IMAGE_NAME}:${PROD_BASE_IMAGE_TAG} AS prod-base

# Copy shared libraries needed at runtime

# # libtinfo6
# COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6.2" "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6"
# # libncurses6
# COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libncursesw.so.6.2" "/lib/${LINUX_ARCH}-linux-gnu/libncurses2.so.6"

# libtinfo6
COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6.2" "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6"
COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6" "/lib/${LINUX_ARCH}-linux-gnu/libtinfo.so.6"
# libncurses6
COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libncursesw.so.6.2" "/lib/${LINUX_ARCH}-linux-gnu/libncurses2.so.6"
COPY --from=prod-install "/lib/${LINUX_ARCH}-linux-gnu/libncursesw.so.6" "/lib/${LINUX_ARCH}-linux-gnu/libncurses2.so.6"

# Part of distroless/cc image
# libgcc-s1
Expand Down Expand Up @@ -573,6 +592,10 @@ FROM prod-base AS prod
# Needed for RELEASE_TMP
"/run/${APP_NAME}"

# Copy CodeDeploy revision into prod image for publishing later
# This could be put in a separate target, but it's faster to do it from prod test
# COPY --from=prod-release --chown="$APP_USER:$APP_GROUP" /revision.zip /revision.zip

# USER $APP_USER

# Setting WORKDIR after USER makes directory be owned by the user.
Expand Down

0 comments on commit e28aebd

Please sign in to comment.